Re: [arch-announce] The xz package has been backdoored

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Fri, 2024-03-29 at 18:55 +0000, Arch Linux: Recent news updates:
David Runge wrote:
> TL;DR: Upgrade your systems and container images **now**!
> 
> 

Thanks for sharing. Truly an astounding revelation.

This is a very, very sophisticated tool-chain attack along the lines of
Ken Thompson's famous compiler trust example [1]

Arch has been a strong advocate for reproducible builds [2] which can
be part of a defense strategy [2]. I note that our xz package is marked
as good in this regard [3].  I wonder what more we can reasonably do in
the near term.

Since git gives us decent tools to check what changed etc., I would
imagine that can provide a stronger base on which to check things than
working with tarballs or tarballs alone.  

This may have gone largely un-noticed for so long as people are
probably more likely to check the source than the tarball itself. In
this case, it seems, it was a primary developer doing the naughty - but
they chose to leave the git repo alone and only infect the tarball.

Question:
--------

Would it make sense, therefore, to switch builds, where possible, away
from tar files and instead pull directly from git source (signed tags
where possible as usual etc)? Of course a git repo can also carry
infections - perhaps taht's a little less likely.

Or is this not worth the trouble?


Gene


 [1] https://wiki.c2.com/?TheKenThompsonHack
 [2] https://reproducible-builds.org/
     https://wiki.archlinux.org/title/DeveloperWiki:ReproducibleBuilds
     https://bootstrappable.org/
 [3] https://reproducible.archlinux.org/



-- 
Gene

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux